Rootkits are a type of malware that tend to be extremely stealthy. This is due to the fact that rootkits often are designed to hide the existence of certain processes or programs from normal methods of detection. Rootkits often target drivers. Most operating systems support kernel-mode device drivers, which generally execute with the same privileges as the operating system itself. As such, many kernel-mode rootkits are developed as device drivers or loadable modules and, when operating, have unrestricted access to resources and data. Moreover, some rootkits operate to replace a portion of systems Master Boot Record (MBR). In doing so, the rootkit may be able to store data that is required to survive reboots in physical sectors instead of files. As such a rootkit may remain hidden from a security application, such as antivirus and antimalware software. In some instances, the rootkit may only need to hook an input/output (I/O) disk driver to hide and protect the modified portion of the MBR. Thus, rootkit detection is difficult because a rootkit may be able to hide its existence by returning clean copies of selected data to a antivirus application, thereby making the detection and removal process extremely complicated and/or practically impossible. It is with respect to this general environment that aspects of the present technology disclosed herein have been contemplated.